🚨 CVE-2026-56768
Seahub before 13.0.23 does not enforce SHARE_LINK_LOGIN_REQUIRED on GET /api/v2.1/share-link-zip-task/, allowing unauthenticated users to bypass authentication. Attackers with a folder share-link token can call the GET endpoint to obtain a fileserver zip token and download entire shared directory trees.
🎖@cveNotify
Seahub before 13.0.23 does not enforce SHARE_LINK_LOGIN_REQUIRED on GET /api/v2.1/share-link-zip-task/, allowing unauthenticated users to bypass authentication. Attackers with a folder share-link token can call the GET endpoint to obtain a fileserver zip token and download entire shared directory trees.
🎖@cveNotify
GitHub
Update share_link_zip_task.py · haiwen/seahub@162cdda
The web end of seafile server. Contribute to haiwen/seahub development by creating an account on GitHub.
🚨 CVE-2026-56769
Huly Platform through 0.7.423, fixed in commit 68cbf8a contains an authenticated server-side request forgery vulnerability in the /import endpoint of front pod that allows workspace users to make arbitrary server requests. Attackers can exploit this by supplying malicious URLs to fetch internal services, exfiltrate responses, and replay credentials against backend systems.
🎖@cveNotify
Huly Platform through 0.7.423, fixed in commit 68cbf8a contains an authenticated server-side request forgery vulnerability in the /import endpoint of front pod that allows workspace users to make arbitrary server requests. Attackers can exploit this by supplying malicious URLs to fetch internal services, exfiltrate responses, and replay credentials against backend systems.
🎖@cveNotify
GitHub
Apply fixes · hcengineering/platform@68cbf8a
Signed-off-by: Artem Savchenko <armisav@gmail.com>
🚨 CVE-2026-56770
libais through 0.15 VdmStream::AddLine uses an unchecked sentinel value as a vector index when processing AIS sentences with empty or out-of-range sequential message IDs. Remote attackers can crash services or vessel systems by sending crafted AIVDM sentences over VHF marine radio or IP feeds, causing out-of-bounds memory access and potential corruption.
🎖@cveNotify
libais through 0.15 VdmStream::AddLine uses an unchecked sentinel value as a vector index when processing AIS sentences with empty or out-of-range sequential message IDs. Remote attackers can crash services or vessel systems by sending crafted AIVDM sentences over VHF marine radio or IP feeds, causing out-of-bounds memory access and potential corruption.
🎖@cveNotify
GitHub
Out-of-Bounds `std::vector` Index in libais `VdmStream::AddLine` via Attacker-Controlled AIS Sequence ID · Issue #263 · schwehr/libais
Author(s): FuzzingLabs poc_libais_vdm.cpp Executive Summary FuzzingLabs identified a memory-safety vulnerability in libais, a widely used C++ AIS (Automatic Identification System) decoder. A single...
🚨 CVE-2026-56771
NewsBlur before version 14.5.0 contains a server-side request forgery vulnerability in the add_url endpoint that allows authenticated users to make arbitrary server requests to internal networks by failing to filter private IP addresses. Attackers can exploit this to access localhost services and cloud metadata endpoints, enabling internal network scanning and sensitive data exfiltration.
🎖@cveNotify
NewsBlur before version 14.5.0 contains a server-side request forgery vulnerability in the add_url endpoint that allows authenticated users to make arbitrary server requests to internal networks by failing to filter private IP addresses. Attackers can exploit this to access localhost services and cloud metadata endpoints, enabling internal network scanning and sensitive data exfiltration.
🎖@cveNotify
GitHub
Block private feed fetch URLs · samuelclay/NewsBlur@2e6c681
NewsBlur is a personal news reader that brings people together to talk about the world. A new sound of an old instrument. - Block private feed fetch URLs · samuelclay/NewsBlur@2e6c681
🚨 CVE-2026-56772
NewsBlur before 14.5.0 contains a broken access control vulnerability that allows authenticated users to read private notification feeds by supplying arbitrary user_id values to the GET /social/interactions endpoint without ownership verification. Attackers can enumerate user_id values to access another user's follows, replies, and social activity without authorization.
🎖@cveNotify
NewsBlur before 14.5.0 contains a broken access control vulnerability that allows authenticated users to read private notification feeds by supplying arbitrary user_id values to the GET /social/interactions endpoint without ownership verification. Attackers can enumerate user_id values to access another user's follows, replies, and social activity without authorization.
🎖@cveNotify
GitHub
Fix social IDOR access checks · samuelclay/NewsBlur@613c60b
NewsBlur is a personal news reader that brings people together to talk about the world. A new sound of an old instrument. - Fix social IDOR access checks · samuelclay/NewsBlur@613c60b
🚨 CVE-2026-56774
Kanboard through 1.2.52, fixed in commit 928c68a, UserViewController::removeSession fails to validate the session id parameter before passing it to RememberMeSessionModel::remove, allowing authenticated users to delete other users' Remember Me sessions. Attackers can enumerate sequential session IDs and mass-invalidate persistent login sessions of any user, including administrators, forcing re-authentication and causing denial of service.
🎖@cveNotify
Kanboard through 1.2.52, fixed in commit 928c68a, UserViewController::removeSession fails to validate the session id parameter before passing it to RememberMeSessionModel::remove, allowing authenticated users to delete other users' Remember Me sessions. Attackers can enumerate sequential session IDs and mass-invalidate persistent login sessions of any user, including administrators, forcing re-authentication and causing denial of service.
🎖@cveNotify
GitHub
fix(user): scope remember me session removal to its owner · kanboard/kanboard@928c68a
Constrain RememberMeSessionModel::remove() by user_id in addition to the
session id so a session row can only be removed by the user that owns it.
Pass the authenticated user id from the controller...
session id so a session row can only be removed by the user that owns it.
Pass the authenticated user id from the controller...
🚨 CVE-2026-56779
MaxKB before 2.10.0 contains a server-side request forgery vulnerability in tool creation and update endpoints that allows authenticated users to make arbitrary server requests by supplying unvalidated downloadCallbackUrl and download_url parameters. Attackers with default workspace USER role can exploit this to access internal network services by providing malicious URLs to the ToolSerializer endpoints.
🎖@cveNotify
MaxKB before 2.10.0 contains a server-side request forgery vulnerability in tool creation and update endpoints that allows authenticated users to make arbitrary server requests by supplying unvalidated downloadCallbackUrl and download_url parameters. Attackers with default workspace USER role can exploit this to access internal network services by providing malicious URLs to the ToolSerializer endpoints.
🎖@cveNotify
GitHub
fix: validate download callback URL in multiple components · 1Panel-dev/MaxKB@6c156af
🔥 MaxKB is an open-source platform for building enterprise-grade agents. 强大易用的开源企业级智能体平台。 - fix: validate download callback URL in multiple components · 1Panel-dev/MaxKB@6c156af
🚨 CVE-2026-56786
RTKLIB through 2.4.3 contains an out-of-bounds write vulnerability in decode_type1033 function that fails to clamp length counters to destination buffer size, allowing up to 191-byte overflow into fixed 64-byte descriptor fields. An attacker controlling an NTRIP or serial RTCM3 correction stream can craft a valid CRC-bearing type-1033 message to corrupt adjacent rtcm_t object members, potentially achieving arbitrary code execution or denial of service.
🎖@cveNotify
RTKLIB through 2.4.3 contains an out-of-bounds write vulnerability in decode_type1033 function that fails to clamp length counters to destination buffer size, allowing up to 191-byte overflow into fixed 64-byte descriptor fields. An attacker controlling an NTRIP or serial RTCM3 correction stream can craft a valid CRC-bearing type-1033 message to corrupt adjacent rtcm_t object members, potentially achieving arbitrary code execution or denial of service.
🎖@cveNotify
GitHub
Out-of-Bounds Write in RTKLIB decode_type1033 via Unbounded RTCM3 Antenna/Receiver Descriptor Lengths · Issue #799 · tomojitakasu/RTKLIB
Author(s): Nabih Benazzouz - @raefko Date: 2026-06-09 Executive Summary @FuzzingLabs identified an out-of-bounds write in RTKLIB's RTCM3 "Receiver and Antenna Descriptor" decoder deco...
🚨 CVE-2026-56787
RTKLIB through 2.4.3 contains an off-by-one out-of-bounds read vulnerability in the decode_ssr3 function at src/rtcm3.c:1446 that allows remote attackers to trigger a global buffer overflow via crafted RTCM3 SSR messages with attacker-controlled signal mode fields. Remote attackers can exploit this vulnerability by sending malicious SSR correction streams over NTRIP or serial connections to cause denial of service or crash RTKLIB rovers and CORS servers.
🎖@cveNotify
RTKLIB through 2.4.3 contains an off-by-one out-of-bounds read vulnerability in the decode_ssr3 function at src/rtcm3.c:1446 that allows remote attackers to trigger a global buffer overflow via crafted RTCM3 SSR messages with attacker-controlled signal mode fields. Remote attackers can exploit this vulnerability by sending malicious SSR correction streams over NTRIP or serial connections to cause denial of service or crash RTKLIB rovers and CORS servers.
🎖@cveNotify
GitHub
Global-Buffer-Overflow in RTKLIB `decode_ssr3` (SSR Code-Bias) via RTCM3 Off-By-One · Issue #798 · tomojitakasu/RTKLIB
Author(s): Nabih Benazzouz - @raefko Date: 2026-06-09 Executive Summary @FuzzingLabs identified an off-by-one out-of-bounds read in RTKLIB's RTCM3 State-Space-Representation (SSR) code-bias dec...
🚨 CVE-2026-56788
RTKLIB through 2.4.3 contains an out-of-bounds read vulnerability in getcodepri function when processing unrecognized RINEX observation codes, allowing attackers to trigger denial of service. Crafted RINEX files with unknown observation types cause negative array indexing into the codepris table, resulting in reliable crashes and potential memory disclosure of adjacent global data.
🎖@cveNotify
RTKLIB through 2.4.3 contains an out-of-bounds read vulnerability in getcodepri function when processing unrecognized RINEX observation codes, allowing attackers to trigger denial of service. Crafted RINEX files with unknown observation types cause negative array indexing into the codepris table, resulting in reliable crashes and potential memory disclosure of adjacent global data.
🎖@cveNotify
GitHub
Global-Buffer-Overflow in RTKLIB `getcodepri` via Unrecognized RINEX Observation Code · Issue #797 · tomojitakasu/RTKLIB
Author(s): Nabih Benazzouz - @raefko Date: 2026-06-09 Executive Summary @FuzzingLabs identified an out-of-bounds read in RTKLIB's signal-priority lookup getcodepri, reachable when a RINEX obser...
🚨 CVE-2026-56789
RTKLIB through 2.4.3 contains a heap buffer overflow vulnerability in the readrnxobsb function in src/rinex.c that allows attackers to trigger memory corruption by failing to clamp satellite count values from RINEX epoch headers. Attackers can craft malicious RINEX files declaring more than 64 satellites per epoch to cause heap buffer overflow writes and out-of-bounds stack reads, crashing RTKLIB-based applications including rnx2rtkp and RTKPOST.
🎖@cveNotify
RTKLIB through 2.4.3 contains a heap buffer overflow vulnerability in the readrnxobsb function in src/rinex.c that allows attackers to trigger memory corruption by failing to clamp satellite count values from RINEX epoch headers. Attackers can craft malicious RINEX files declaring more than 64 satellites per epoch to cause heap buffer overflow writes and out-of-bounds stack reads, crashing RTKLIB-based applications including rnx2rtkp and RTKPOST.
🎖@cveNotify
GitHub
Out-of-Bounds Access in RTKLIB `readrnxobsb` via Oversized RINEX Epoch Satellite Count · Issue #796 · tomojitakasu/RTKLIB
Author(s): Nabih Benazzouz - @raefko Date: 2026-06-09 Executive Summary @FuzzingLabs identified an out-of-bounds access in RTKLIB's RINEX observation reader, readrnxobsb, reachable from a craft...
🚨 CVE-2026-56790
CANBoat through 6.22, fixed in commit a5a22b7, contains an off-by-one global buffer overflow in the searchForPgn() function in analyzer/pgn.c that allows remote attackers to crash the application. Attackers can deliver a crafted NMEA-2000 message with an out-of-range PGN value over CAN bus or N2K-over-IP to trigger an out-of-bounds array access and denial of service.
🎖@cveNotify
CANBoat through 6.22, fixed in commit a5a22b7, contains an off-by-one global buffer overflow in the searchForPgn() function in analyzer/pgn.c that allows remote attackers to crash the application. Attackers can deliver a crafted NMEA-2000 message with an out-of-range PGN value over CAN bus or N2K-over-IP to trigger an out-of-bounds array access and denial of service.
🎖@cveNotify
GitHub
fix: prevent out-of-bounds read for out-of-range PGNs (#649) · canboat/canboat@a5a22b7
searchForPgn() ran a binary search over pgnList[] with a closed range
whose upper bound was the element count (end = pgnListSize) and a
`start <= end` loop. For a PGN larger than every table...
whose upper bound was the element count (end = pgnListSize) and a
`start <= end` loop. For a PGN larger than every table...
🚨 CVE-2026-57700
Unrestricted Upload of File with Dangerous Type vulnerability in Daan.Dev OMGF Pro allows Using Malicious Files.
This issue affects OMGF Pro: from n/a through 5.2.6.
🎖@cveNotify
Unrestricted Upload of File with Dangerous Type vulnerability in Daan.Dev OMGF Pro allows Using Malicious Files.
This issue affects OMGF Pro: from n/a through 5.2.6.
🎖@cveNotify
Patchstack
Arbitrary File Upload in WordPress OMGF Pro Plugin
Patchstack is the leading open source vulnerability research organization. Find information and protection for all WordPress, Drupal and Joomla security issues.
🚨 CVE-2026-34917
Low‑privileged session IDs generated for the web admin console could be reused in the XML‑RPC API, whose authentication is normally restricted to admin users. An attacker could leverage this to gain unauthorised access and exploit API‑level vulnerabilities. The session context (web/API) is now recorded along with other session data, preventing session IDs from being used interchangeably.
🎖@cveNotify
Low‑privileged session IDs generated for the web admin console could be reused in the XML‑RPC API, whose authentication is normally restricted to admin users. An attacker could leverage this to gain unauthorised access and exploit API‑level vulnerabilities. The session context (web/API) is now recorded along with other session data, preventing session IDs from being used interchangeably.
🎖@cveNotify
HackerOne
Revive Adserver disclosed on HackerOne: Session ID reuse allowing...
HackerOne community member 0x4c616e has reported that low‑privileged session IDs generated for the web admin console could be reused in the XML‑RPC API, whose authentication is normally restricted...
❤1
🚨 CVE-2026-44956
Low‑privileged users could use their Full Name as a vector for a stored XSS attack. The name is included in system‑generated emails, whose content is stored in the details field of the userlog table. An admin user viewing the email content through userlog-details.php would have any malicious JavaScript payload executed due to missing output sanitisation. Proper escaping has been added to the userlog details output.
🎖@cveNotify
Low‑privileged users could use their Full Name as a vector for a stored XSS attack. The name is included in system‑generated emails, whose content is stored in the details field of the userlog table. An admin user viewing the email content through userlog-details.php would have any malicious JavaScript payload executed due to missing output sanitisation. Proper escaping has been added to the userlog details output.
🎖@cveNotify
HackerOne
Revive Adserver disclosed on HackerOne: Stored XSS via Full Name...
HackerOne community member barcrange (3l4) has reported that low‑privileged users could use their Full Name as a vector for a stored XSS attack. The name is included in system‑generated emails,...
🚨 CVE-2026-44960
A stored XSS can be exploited by leveraging the usernames as an attack vector. When an admin user viewed the audit log details for affected entries, any malicious JavaScript payload embedded in the username would be executed due to missing output sanitisation. Proper escaping has been added to the audit log details output.
🎖@cveNotify
A stored XSS can be exploited by leveraging the usernames as an attack vector. When an admin user viewed the audit log details for affected entries, any malicious JavaScript payload embedded in the username would be executed due to missing output sanitisation. Proper escaping has been added to the audit log details output.
🎖@cveNotify
HackerOne
Revive Adserver disclosed on HackerOne: Stored XSS via malicious...
HackerOne community member barcrange (3l4) has reported that usernames could be used as a vector for a stored XSS attack. When an admin user viewed the audit log details for affected entries, any...
🚨 CVE-2026-44961
The XML‑RPC API addUser method has a validation bypass introduced in the fix for CVE‑2025‑55129. As a result, API users could create usernames that enabled impersonation or stored XSS attacks. Proper validation has been added where it was missing.
🎖@cveNotify
The XML‑RPC API addUser method has a validation bypass introduced in the fix for CVE‑2025‑55129. As a result, API users could create usernames that enabled impersonation or stored XSS attacks. Proper validation has been added where it was missing.
🎖@cveNotify
HackerOne
Revive Adserver disclosed on HackerOne: Stored XSS via malicious...
HackerOne community member barcrange (3l4) has reported that usernames could be used as a vector for a stored XSS attack. When an admin user viewed the audit log details for affected entries, any...
🚨 CVE-2025-71382
MuPDF before 1.27.0-rc1 contains an uncontrolled recursion vulnerability in the EPUB CSS rendering engine that allows remote attackers to cause a denial of service by supplying a maliciously crafted EPUB file with deeply nested HTML elements and inline CSS styles. The function value_from_inheritable_property() in css-apply.c recurses through the CSS property inheritance chain without a depth limit, exhausting the process stack and causing a crash in any application using MuPDF for EPUB rendering.
🎖@cveNotify
MuPDF before 1.27.0-rc1 contains an uncontrolled recursion vulnerability in the EPUB CSS rendering engine that allows remote attackers to cause a denial of service by supplying a maliciously crafted EPUB file with deeply nested HTML elements and inline CSS styles. The function value_from_inheritable_property() in css-apply.c recurses through the CSS property inheritance chain without a depth limit, exhausting the process stack and causing a crash in any application using MuPDF for EPUB rendering.
🎖@cveNotify
🚨 CVE-2026-0864
When using the "configparser" module to write configuration files
containing multi-line text values with carriage return characters (\r) the
resulting file could be injected with unexpected keys and values if the
attacker controls the written value.
🎖@cveNotify
When using the "configparser" module to write configuration files
containing multi-line text values with carriage return characters (\r) the
resulting file could be injected with unexpected keys and values if the
attacker controls the written value.
🎖@cveNotify
GitHub
[3.15] gh-143927: Normalize all line endings (CR, CRLF, and LF) in co… · python/cpython@0adb386
…nfigparser (GH-143929) (GH-152002)
gh-143927: Normalize all line endings (CR, CRLF, and LF) in configparser (GH-143929)
(cherry picked from commit 5858e42c539dac8394636a6e9b30472b8994851f)
Co-au...
gh-143927: Normalize all line endings (CR, CRLF, and LF) in configparser (GH-143929)
(cherry picked from commit 5858e42c539dac8394636a6e9b30472b8994851f)
Co-au...
🚨 CVE-2026-11972
When using the "tarfile" module with a file opened in "streaming mode" (mode="r|") the tarfile module did not properly handle EOF, making archive parsing take exponentially longer.
🎖@cveNotify
When using the "tarfile" module with a file opened in "streaming mode" (mode="r|") the tarfile module did not properly handle EOF, making archive parsing take exponentially longer.
🎖@cveNotify
GitHub
tarfile._Stream.seek ignores EOF · Issue #151981 · python/cpython
Bug report The forward-seek routine of tarfile._Stream reads a given number of blocks, even if it hits an end of file. A large seek can lead to a long no-op loop. Linked PRs gh-151982 gh-151991 gh-...
🚨 CVE-2026-56785
FlatPress contains a stored cross-site scripting vulnerability in comment and contact forms where name, URL, and email fields are rendered without proper output encoding in Smarty templates. Attackers can inject arbitrary HTML and JavaScript through these fields to execute malicious scripts in browsers of viewers including administrators, or bypass URL scheme validation to inject javascript: or data: URIs.
🎖@cveNotify
FlatPress contains a stored cross-site scripting vulnerability in comment and contact forms where name, URL, and email fields are rendered without proper output encoding in Smarty templates. Attackers can inject arbitrary HTML and JavaScript through these fields to execute malicious scripts in browsers of viewers including administrators, or bypass URL scheme validation to inject javascript: or data: URIs.
🎖@cveNotify
GitHub
GitHub - dilipk5/flatpressd-cms-sxss
Contribute to dilipk5/flatpressd-cms-sxss development by creating an account on GitHub.